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MEMORANDUM TO THE DEPUTY MINISTER 


Proposed Approach for the On-Going Monitoring of Internal Controls over 


Financial Reporting Specific to Entity Level Controls 
(FOR APPROVAL) 


Akos oo SUMMARY . u 
L Entity Level Controls (ELCs) are high-level controls that have an impact on the | 
Department as a whole. They include governance and senior management 
oversight, the tone at the top, the organization's culture, values and ethics, risk 
management, communications, and human resources. 


e As per Treasury Board's Policy on Internal Control, deputy heads are responsible 
for ensuring the monitoring and review of the departmental system of internal 
controls, which includes ELCs. An On-Going Monitoring Plan that highlights the 
Department's approach to monitoring controls is developed every 3 years by the - 
Finance and Planning Branch (FPB). Of the ELCs listed above, the Plan only 
covers controls which, if they fail, could impact the Departmental Financial 
Statements (these controls are referred to as Internal Controls over Financial 
Reporting — ICFR). 


e Given the risks that could stem from the assessment of the Department's ELCs 
and their overarching impact on the organization, your approval is sought on the 
proposed approach to assess ELCs by April 19, 2016. This will ensure enough 
time for the inclusion of the recommended option in the new 2016-19 ICFR On- 
Going Monitoring Plan and monitoring activities starting in April 2016 and will'also 
ensure that FPB's commitment as per the recommendation in the 2015 internal 
audit of the monitoring of the system of ICFR is met. 


e In order to complete the assessment of ELCs that have an impact on ICFR, it is 
recommended that FPB develop a questionnaire. FPB will then complete the 
questionnaire and its completion will enable the assessment of ELCs. 


+ FPB obtained confirmation from the Office of the Comptroller General (OCG) on 
December 17, 2015, that its proposed approach for the assessment of ELCs is 
deemed appropriate and similar to the approach taken by other departments. 


e Considering that ELCs may have a horizontal impact on the Department overall, 
FPB will share the results of its assessment of ELCs with Internal Audit Services. 


|__+ DO YOU APPROVE? 
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BACKGROUND 


As per the Treasury Board Policy on Internal Control (PIC), effective April 1, 2009, 
deputy heads are responsible for ensuring the monitoring and review of the 
departmental system of internal controls to mitigate risks. 


The standard government-wide approach followed by the Department of Justice is to 
assess three distinct levels of controls: Entity Level Controls (ELCs), Information 
Technology General Controls (ITGCs) and Process Level Controls (PLCs). 


An On-Going Monitoring Plan is developed every 3 years by the Finance and Planning 
Branch (FPB) which highlights the Department's approach to monitoring these controls. 
The Plan only covers controls which, if they fail, could impact the Departmental 
Financial Statements (these controls are referred to as Internal Controls over Financial 
Reporting — ICFR). This briefing note is only in regards to the approach for ELCs. 


ELCs are high-level controls that have an impact on the Department as a whole. They 
include the tone at the top, the organization's culture, values and ethics, rísk 
management, governance, communications, and human resources. Due to their 
overarching nature, ELCs contribute to the overall effectiveness of ICFR. 


Currently, in order to assess ELCs, FPB monitors existing assessments and other 
initiatives within the Department (e.g. Management Accountability Framework (MAF) 
assessments, Public Employee surveys, audits) in order to conclude whether they are 
weaknesses that could have an impact on ICFR. 


The 2015 internal audit of the monitoring of the system of ICFR had the following 
recommendation regarding ELCs: FPB should have a process for assessing specific 
ELCs that are not receiving adequate assurance through existing assessments and 
other initiatives (refer to Annex A). 


OPTIONS / KEY CONSIDERATIONS 
1. Status Quo 
FPB continues to monitor ELCs based on existing assessments and other initiatives 


within the Department. This being said, if no assessment or other initiative currently 
exists for a specific ELC, FPB will not conduct its own assessment of that specific ELC. 
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2. FPB assesses ELCs which have an impact on ICFR based on a questionnaire 
to be developed and communicates the weaknesses identified to the ; 
Departmental Audit Committee and Internal Audit through the ICFR Annual 
Report (frequency of ELC assessment to be based on the ICFR Monitoring ' 
Plan) 


FPB's proposed approach consists of developing a questionnaire in order to document 
its assessment of ELCs. As confirmed by the Office of the Comptroller General (OCG) 
on December 17, 2015, this approach is deemed appropriate and similar to the 
approach taken by other departments. 


FPB's questionnaire will be based on the widely recognized control framework from the 

Committee of Sponsoring Organizations of the Treadway Commission (COSO) as well 

as the Core Management Controls (which were developed by the Internal Audit Sector 

of the Office of the Comptroller General and are based on COSO) and will pertain to the 

ELCs that have an impact on ICFR. As an example, when assessing governance, FPB 

would need to answer questions such as: "Is there an open line of communication 

between the Departmenta! Audit Committee (DAC), the senior management committee, 
internal auditors and external auditors?". 


FPB will be responsible for completing the questionnaire and will not only be referencing 
existing assessments and initiatives but will also need to review other relevant 
documentation supporting the existence and proper implementation of these ELCs that 
have an impact on ICFR. 


FPB will take into consideration the risks identified through its ELC assessments when 
completing its control testing of the other levels of controls. FPB will also communicate 
the weaknesses identified as well as its recommendations to mitigate the risks to the 

appropriate stakeholders and ensure management action plans (MAPs) are developed. 


FPB will track the MAPs and perform follow-ups with the stakeholders to ensure their 
implementation. 


In addition, the results of FPB's assessment of ELCs that have an impact on ICFR will 
be communicated to senior management and the DAC via its annual Results of the On- 
Going Monitoring for Internal Controls over Financial Reporting. 

Taking into consideration that ELCs may have a horizontal impact on the Department 
overall, FPB will share the results of its assessment of ELCs with Internal Audit Services 
(IAS). | 


This option would meet IAS’ recommendation for "identifying and addressing ELC gaps 
where testing by others is not sufficient to assess the selected key controls". 
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It should be noted that FPB has shared with [AS its recommended option and the 
Chief Audit Executive confirmed being in agreement with the proposed approach. 


RESOURCE IMPLICATIONS 


Both options have no additional resource implications. ` 


COMMUNICATION IMPLICATIONS 


The approved option will be communicated to the IAS and then to DAC during the 
management action plan update process. 
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RECOMMENDATION 
Based on the previously stated considerations, Option 2 is recommended. 


It is recommended that you indicate your concurrence with Option 2 by signing the 
approval block in the summary box. | 


NEXT STEPS 


The 2016-19 {CFR On-Going Monitoring Plan will be updated to reflect the new 
approach for the assessment of ELCs and will be presented to MC and DAC by August 
31, 2016. : 


Attachments 
Annex A ~ Recommendations, Management Response and Action Plan for the Audit of 
the Monitoring of the System of Intemal Control Over Financial Reporting 


Prepared by: 

Geneviéve Bégin, Acting Chief, Departmental Financial Control, Financial Policy and 
Controls Division, 613-960-07 13 

Date: April 12, 2016 


, Reviewed by: 


Maxime Patry, Manager, Financial Policy and Controls Division, Finance and Planning 
Branch, 613-960-4926 


, Date: April 12, 2016 


Reviewed by: 

Eric Trépanier, Director General, Finance and Planning Branch & Deputy Chief 
Financial Officer, 613-948-5117 

Date: April 12, 2016 


Approved byZ-—,. 3 SAE ekte jud 
Marie-Josée Thivierge, Assistant Deputy Minister, Management Sector and Chief 
Financial Officer 

Date:  ;/2.c6*..»»£ | 

Approved by: me Compr de 8/4. 
Pierre Legault, Associate Deputy Minister S Dla fem 

Date: /£-o4-4erV 
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Recommendations, Management Response and Action Plan for the 
Audit of the Monitoring of the System of Internal Control Over Financial 
Reporting — 


Recommendation 1 Office of Primary Interest (OPI) | 


The Assistant Deputy Minister 
Management Sector and Chief 
Financial Officer should improve 
reporting to oversight bodies to 
more fully describe the risk-based 
approach applied in monitoring 
ICFR, including the scope and 
extent of operating effectiveness 
testing that is planned and 
conducted. 


Assistant Deputy Minister and Chief Financial Officer, 
Management and CFO Sector 


Management Response and Action Plan 
Building on the established process of presenting the annual 
Internal Controls over Financial Reporting (ICFR) Results 
Report and other related information (e.g. ICFR Multi-Year 
Plans) to Management Committee (MC) and the Departmental 
Audit Committee (DAC) as part of the annual Departmental 
Financial Statements (DES) package: the 2015-16 ICFR Results 
Report will be revised as appropriate, to more fullv describe the 
risk-based approach taken in monitoring ICFR. The ICFR 
Results Report will be presented to MC and DAC as part of the 
2015-16 DFS package bv August 31. 2016. 


The 2015-18 ICFR Multi-Year Plan presented to DAC in June 
2013 will be updated as appropriate, to more fully describe the 
risk-based approach to monitoring ICFR. The updated Plan will 
cover the period of up to 2016-19 and will be included in the 
2015-16 DES package. 


As per the established process. feedback regarding the ICFR 
Results Report and Multi-Year Plan will be requested from MC 
and the DAC. including the depth of information to be captured. 
in order to further refine the plans and reports in subsequent 
years." 


7 


Target Implementation Date | 


August 31, 2016 | | 


Recommendation 2 Office of Primary Interest (OPI) 


It is recommended that the 
Assistant Deputy Minister and 

Chief Financial Officer implement a 
process to ensure that key controls 


Assistant Deputy Minister and Chief Financial Officer, 
` Management and CFO Sector 


Management Response and Action Plan 
Process Level Controls (PLCs): | 
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are appropriately identified, 
documented and maintained to 
adequately support ongoing 
monitoring of the system of ICFR. 
This will include: 


e Documenting sub- 
processes, risks and key 
controls for all in-scope 
financial statement 
accounts; 

e Fully identifying and 
documenting ELCs and 
ITGCs; and 

e Developing a process to 
ensure this information is 
validated and maintained. 


The 2016-19 ICFR Multi-Yeur Plan (refer to recommendation 
FI) will include a revised financial statement accounts 
monitoring schedule, which will change the current annual 
"hreadth-based focus" to a more "in-depth testing focus”. This 
new monitoring schedule will include less accounts per year but 
more in-depth testing, providing the same level of assurance 
overall. Building on the existing monitoring process and 
documentation. relevant sub-processes of financial statement 
accounts will be fully documented during the course of the 
monitoring projects. The documentation of relevant sub- 
processes. risks and key controls for all in-scope financial 
statement accounts will be completed throughout the 2016-19 
ICFR Multi-Year Plan cycle. Milestones will he completed each 


year beginning in 2016-17 as accounts are monitored as 


scheduled, with initial work having already been started in 
2015-16. 


A process to ensure the information is validated and maintained 
going forward will be developed and documented in the 
Financial Policy and Controls Division (FPCD) ICFR deskhook 
by August 31, 2016 for PLCs, as well as Entity Level Controls 
(ELCs) and Information Technology General Controls (ITGCS) 
as appropriate. The process will he designed so that any new 
methodologies, direction, etc. from the Office of the Compiroller 
General can be integrated going forward. 


Entity Level Controls (ELCs): 


The ELCs were fully identified in 2009-10 and updated in 
2011-12, with no gaps identified. The ELCs were subsequently 
grouped and narrowed down to those relevant to ICFR for 
administrative ease for on-going monitoring. 


By March 31, 2016, the ELCs that were grouped will he 
ungrouped into more specific controls to better identify ELCs 
that could impact PLCs. 


Information Technology General Controls (I1GCs): 


Recognizing the benefits of documenting ITGCs, significant 
resources were previously invested in systems projects that were 
unfortunately cancelled at the direction of the Treasury Board 


| Secretariat (TBS). As a result. moving forward in regards to 


— 
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ITGCs will require consultations with TBS regarding the 
intention and timeline for new government-wide standard 
systems via the Financial Management Transformation 
initiative. The documentation of ITGCs moving forward and 
deadlines will be based on those consultations to ensure that any : 
{TGC work performed will align with TBS initiatives and will ! 
effectively use available resources. For context, ITGCs work 
| 


going forward will focus on the Integrated Financial and 
Materiel System (IFMS). as there have been significant changes 
in the ownership of. and reliance on. other systems since the 
initial [TGC documentation in 2007. Relevant ITGCs within 
other Justice Canada managed IT svstems will also be assessed. 
to determine their ICFR-related risks and to determine how they 
should be monitored going forward. 


Target Implementation Date 


ELCs March 31, 2016 
For PLCs. ELCs & ITGCs - Development and documentation of 
process for validating and maintaining documentation for sub- 
processes, risks and controls (as appropriate) - August 31, 2016 
PLCs March 31. 2019 (with annual milestones, as per the 
2016-19 ICFR Multi-Year Plan) 
ITGCs — Subject to TBS direction 


Office of Primary Interest (OP!) 


Assistant Deputy Minister and Chief Financial Officer, 
Management and CFO Sector 


Recommendation 3 


It is recommended that the 
Assistant Deputy Minister 
Management Sector and Chief 
Financial Officer develop, 
document and implement an 
approach for the annual selection 
of key controls for OE testing (PLCs, 
ELCs, and ITGCs). This approach 
should include: 


Management Response and Action Plan 


Within the Government of Canada, there are other policies, 
directives and reporting requirements in addition to the PIC that 
require Departments to provide assurance on the accuracy of 

financial reporting. To meet these additional requirements there 
are other various types of assurance work performed in addition 
to Operating Effectiveness (OE) testing. 


e The risk factors to be 
assessed and how they 
influence the selection of 
controls (i.e., weighting); 

e The minimum level of 
testing required to 
determine the ongoing 


Process Level Controls (PLCS): 


In this context, the Management and CFO Sector will provide 
the DAC with a summary report of the work performed and 
previously reported to DAC and senior management which 
provided assurance on financial reporting from 2009-10 to 
2014-15 for each financial statement account. The Summary ` 
report will demonstrate that an appropriate level of PLCs 
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of ICFR; and 

e A process for identifying 
and addressing gaps where 
testing by others is not 
sufficient to assess the 
selected key controls. 
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| be provided by December 31, 2015. 


In addition, the FPCD PIC working folders have been updated 
to provide clearer links to the other attestation, controls design. 
and policy work performed that provide assurance in addition to 
| OF testing. Going forward. FPCD will also maintain records of 
project files so that evidence regarding assurance work on the 
design of new processes and controls will be more readily 
available. | | 


Finally. the updating of documentation in the FPCD deskhook 
and working documents over the 2016-19 ICFR Multi-Year Plan i 
cycle (refer to recommendation 82. work to be completed hy | 
March 31, 2019) will include the development of a risk-based 
approach for selecting suh-processes and controls to be tested 
and the levels of testing to he conducted in order to provide 
assurance. 


Entity Level Controls (ELCs): 


Options and a recommendation regarding operating 
effectiveness testing going forward for ELCs will be provided to 
the Deputy Minister bv January 31. 2016 for approval. 


The above-noted approach to support the approved option for 
ELCs will be documented as part of the overall deskhook 
updates outlined in the management action plan for 
recommendation #2 by August 31. 2016. 


Information Technology General Controls (ITGCs): 


The ITGCs risk documentation will be developed as part of 
recommendation #2. Based on the consultations with TBS, an 
operating effectiveness testing plan will be developed once the 
ITGCs documentation has been updated and design effectiveness 
has been re-assessed. 


Target Implementation Date 


PLCs December 31. 2015 (Summary report to DAC) 
March 31. 2019 (Completion of documentation) 


ELCs - January 31. 2016 (Options for operating effectiveness 
testing provided to the Deputy Minister) 
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August 31. 2016 (documentation of approach based on 
DM decision 


- Subject t0 TBS direction 


ITGCs 
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Prepared by: 

Normand Vaillancourt 

General Counsel and NSG Director 
National Litigation Sector 
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‘Date: April m 


Reviewed by:: 

Jodie van Dieen M 

Deputy AssisténtDepütf Attorney General 
National Litigatión Sector 

613-670-636 


Date: April G , 2016 


Approved by: 
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Assistant Deputy Attorney General 
National Litigation Sector 
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Date: April , 2016 
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infrastructure was an extremely complex task. 


There was considerable uncertainty during the transition to the new IT service model that 
complicated IT planning at the Department of Justice because the level of investment 
required by the Department of Justice in support of government-wide transformation 
projects initiated by SSC could not be accurately forecasted and because SSC was unable 
to provide accurate forecasts of the delivery date and the cost of new infrastructure 
required for projects initiated by the Department of Justice. 


The Auditor General tabled a report on February 2, 2016, that concluded that SSC 
"documented few agreements with partners that articulated clear and concrete service 
expectations, rarely provided reports to partners on service levels or the overall health of 
the IT infrastructure, and did not formally measure partners’ satisfaction with the 
services they received." Without a formal service level agreement, the Department of 
Justice has been unable to demonstrate to SSC that it is experiencing an unacceptable 
level of outages to core IT services. 


SSC has adopted a new functional direction that takes effect April 1, 2016, and that 
allows partner-funded investments to be made in legacy infrastructure without going 
through an exception process. 


SSC's response to the Auditor General's recommendations combined with the money 
provided in the latest budget should make it possible to reduce or eliminate the 
challenges that the Department of Justice has experienced working with SSC. 
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MEMORANDUM FOR THE MINISTER 


Challenges faced by the Department of Justice regarding Shared Services Canada 
ISSUE 


The recent report by the Auditor General on Shared Services Canada (SSC) as well as the 
hearings held by Parliament when SSC tabled its Report on Plans and Priorities have led to 
significant media attention about difficulties that SSC has-had in fulfilling its mandate to provide 
core IT services to government departments. 


BACKGROUND 


The creation of SSC involved the transfer of physical, human and financial resources from 43 
partner organizations into a new department. Assuming the responsibility for a large number of 
existing components of IT infrastructure and was an extremely complex task and from its 
inception, SSC was directed to devote the majority of its efforts to achieve costs savings through 
the consolidation of email, networks, and data centres into enterprise level solutions. 


This focus on major transformational initiatives limited the amount of support that SSC was able 
to provide for the legacy systems that were in existence when SSC was created. Delays in the 
delivery of enterprise solutions have placed an even greater strain on the legacy systems at 
partner organizations such as the Department of Justice. For example, the Email Transformation 
Initiative that involves the transition of over 100 disparate email solutions to a new shared email 
system for all government departments ran into major complications and migration date for the 
Department of Justice has been delayed by more than 15 months. This delay required the 
Department of Justice to make extended use of an interim solution for BlackBerry service that 
has been subject to several outages. 


These types of challenges were highlighted in a report tabled by the Auditor General on February 
2, 2016, that included the recommendation that SSC improve its reporting on transformation 
initiatives “to ensure that information reported to the senior management board on the status of 
transformation initiatives is clear and accurate." The Auditor General's report also concluded 
that *Shared Services Canada did not establish clear and concrete expectations for partners for 
maintaining service levels." With no formal service level agreement and no comprehensive 
service catalogue, the Department of Justice has had difficulty responding quickly to outages to 
core IT services and has not been able to predict whether an enhancement request in legacy 
infrastructure will be accepted by SSC nor when an accepted request will be delivered. 


The Auditor General concluded that SSC does not have consistent practices in place “to 
recognize that there are partner costs involved in all transformation projects." The Department of 
Justice has started many initiatives in support of GC transformation projects led by SSC but it 
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has been very difficult to anticipate the level of resources that Justice will require in support of 
these projects, given absence of information and fluctuating timelines. The funding for these 
projects has occasionally gone unspent at fiscal year-end due to delays in SSC's transformation 
schedule that made it impossible for the Department of Justice to perform the work required to 
support the transformation initiative. 


Another recommendation of the Auditor General is that “Shared Services Canada should develop 
an overall service strategy that articulates how it will meet the needs of partners’ legacy 
infrastructure." At the creation of SSC, it was assumed that the funding that was transferred to 
their organization was sufficient to cover gradual increases in partner organizations’ IT 
requirements, however no clear explanation was provided to explain the level of growth in 
legacy infrastructure that SSC would reasonably expect. As a result, requests to increase the 
amount of network bandwidth or storage space used by the Department of Justice have received 
vastly different cost estimates: in some cases the costs have been borne by SSC and in others 
requests were charged back to the Department of Justice but at varied rates. The uncertainty: 
associated with this type of incremental increase has made it difficult for the Department of 
Justice to forecast IT expenses related to the maintenance of the existing IT environment. 


CONSIDERATIONS 


In their response to the Auditor General's report, SSC committed to implementing the 
recommendations of the Auditor General, saying that “By 31 December 2016, SSC will approve 
and communicate a comprehensive service strategy that sets out how it will deliver enterprise IT 
infrastructure services to meet the needs of Government of Canada partners and clients. The 
strategy will reflect SSC's overall approach to providing legacy and transformed services at 
defined levels, the role of partners within the strategy, how partner and client needs will be 
considered and addressed, and how the approach results in the best value to Canadians." The 
implementation of this strategy will improve the collaboration between SSC and the Department 
of Justice on IT planning and will allow a greater ability to achieve a level of IT service that 
consistently meets business needs. 


SSC has adopted a new functional direction effective April 1, 2016, that simplifies partner- 
funded investments in legacy infrastructure. This will allow the Department of Justice to restore 
some of its capacity to respond quickly to changing operational priorities that was lost with the 
creation of SSC. 


The budget announced on March 22, 2016, provides SSC $383.8 million over the next two years 
to support the transformation of government IT systems, data centres, and telecommunications 
networks and these funds should help SSC to balance the need to support partner operations in 
existing infrastructure with its requirement to create enterprise IT systems for the Government of 
Canada. 


The Department of Justice made it a priority to establish a strong partnership with SSC and has 
been holding regular meetings at the Assistant Deputy Minister, the Director General and the 
manager level to ensure strategic alignment between the two organizations and to integrate their. 
priorities into a common IT Plan. These regular meetings held with the Account Management 
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team at SSC have increased SSC's understanding of the specific business requirements of the 
Department of Justice and there is a willingness on both sides to work together to eliminate any 
challenges to the partnership between the two organizations, for example by improving the 
ability of both organizations to track the expenses associated with transformational projects and 
to ensure that the necessary resources are made available in the Department of Justice to support 
enterprise activities. 


Although SSC is working to stabilize operations and infrastructure and to improve its processes, 
the Department of Justice will be required to fund some of SSC's contributions to IM and IT 
projects. : 


CONCLUSION 


The Management and Chief Financial Officer Sector will continue to meet regularly with SSC to 
maintain a strong partnership between the two organizations, ensure that the SSC resources in 
support of the Department of Justice are deployed optimally, and monitor SCC's ability to 
consistently achieve their service level targets. 


PREPARED BY 

Marj Akerley 

Chief Information Officer 
Management and CFO Sector 
613-941-3444 


Page 3 of 3 
revs mlu 12 Apr 2016-006252 - BN - SSC Implementation 


000218 


